Wednesday, 30 September 2015

cisco release designation definitions

From https://www.cisco.com/public/library/iosplanner/reldesignation.html

Normally only install GD deployments as they are considered stable. Usually a version or two behind the latest release. Only use LD and ED to patch a specific bug or issue. These versions are more likely to contain bugs.

Release Designations Defined 

Deferral (DF)
The purpose of the Deferral Advisory is to announce the removal of affected IOS image(s) from Cisco's offerings (i.e.CCO) and to introduce its replacement IOS image(s). At the time that the Deferral of an IOS image is advised, customers are strongly urged to migrate from the affected image(s) to the replacement image(s).
Early Deployment (ED) 
Software releases that provide new features and new platform support in addition to bug fixes. Cisco IOS CTED, STED, SMED, and XED are variations of ED software releases.
Maintenance Deployment (MD) 
A Cisco software release that provides bug fix support and ongoing software maintenance.
General Deployment (GD) 
Date at which this software release reached the "General Deployment" milestone in its lifecycle. A Major Release of Cisco IOS software reaches the "General Deployment" milestone when Cisco feels it is suitable for deployment anywhere in customer networks where the features and functionality of the release are required. Criteria for reaching the "General Deployment" milestone are based on, but not limited to, customer feedback surveys from production and test networks using the releases, CE bug reports, and reported field experience. Only Major Releases are candidates to reach the General Deployment milestone.
Note: GD will not be applied to any future Cisco IOS Software maintenance releases or rebuilds starting from Cisco IOS Software Release 12.4. Please refer to the Cisco IOS Software General Deployment (GD) Program Retirement Product Bulletin for more information:http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6350/product_bulletin_cisco_ios_software_gd_program_retirement.html.

Limited Deployment (LD) 
A Major Release of Cisco IOS software is said to be in the "Limited Deployment" phase of its lifecycle during the period between initial FCS and the General Deployment (GD) milestones. Note:LD will not be applied to any future Cisco IOS Software maintenance releases or rebuilds starting from Cisco IOS Software Release 12.4. Please refer to the Cisco IOS Software General Deployment (GD) Program Retirement Product Bulletin for more information:http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6350/product_bulletin_cisco_ios_software_gd_program_retirement.html.
Posted by at No comments:
Labels: , ,

Tuesday, 29 September 2015

Cisco ASA anyconnect remote access VPN

Set up a network object to use later
object network CUST_RA_NET_172.19.166.0_24
 subnet 172.19.166.0 255.255.255.0

Set up ACL for use in the group policy
Also look at your outside in ACL as this is where the VPN users come from
access-list CUST-Rmte-ACL remark ACL to allow RA users to connect to the jump server
access-list CUST-Rmte-ACL extended permit tcp object MG_RA_NET_172.19.166.0_24 host 172.19.150.4 object-group DMZ_PORTS_ALLOWED_OUT
access-list CUST-Rmte-ACL extended permit tcp object MG_RA_NET_172.19.166.0_24 host 172.19.150.3 object-group DMZ_PORTS_ALLOWED_OUT

Set up an IP pool 
RA users get assigned an address from this pool when they connect
ip local pool CUST-pool 172.19.166.200-172.19.166.230 mask 255.255.255.0

Setup your Group Policy
There are many options that can be configured here this is just a basic one
group-policy CUST-Rmte-Users internal
group-policy CUST-Rmte-Users attributes
 banner value Warning:
 banner value
 banner value This system is restricted to authorized users for business purposes only and is subject to the Security Policy.
 banner value
 banner value Unauthorized access or use is a violation of company policy and the law.
 banner value
 banner value This system may be monitored for administrative and security reasons.
 banner value
 banner value By proceeding, you acknowledge that you have read and understand this notice and you consent to the system monitoring
 wins-server none
 dns-server none
 vpn-filter value CUST-Rmte-ACL
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 default-domain value custdomain.com
 split-tunnel-all-dns enable
 address-pools value CUST-pool

Tunnel Group
tunnel-group CUST-Rmte type remote-access
tunnel-group CUST-Rmte general-attributes
 default-group-policy CUST-Rmte-Users (or NoAccess, depend if set GP with ldap map later)
tunnel-group CUST-Rmte webvpn-attributes
 group-alias CUST enable

Quick enable/disable (make it appear in anyconnect prompt or not)
tunnel-group CUST-Rmte webvpn-attributes
 group-alias CUST enable



Set up your users
username johndoe password 1234
username johndoe attributes
 vpn-group-policy CUST-Rmte-Users

Don't forget NAT
RA users come from OUTSIDE
In this case we don't want to translate them and let them connect to another internal server
nat (OUTSIDE,DMZ) source static CUST_RA_NET_172.19.166.0_24 CUST_RA_NET_172.19.166.0_24 destination static obj-172.19.150.0 obj-172.19.150.0 no-proxy-arp route-lookup


============================
Setting up so we can match anyconnect profiles to AD groups
You need aaa servers for each profile as they map to the LDAP MAP.
You should create a group policy, aaa-server groups ad ldap map for each one your want to use.

Setup group policy
group-policy GP-AC-WX-EXTERNAL internal
group-policy GP-AC-WX-EXTERNAL attributes
 banner value Warning:
 banner value
 banner value This system is restricted to authorized users for business purposes only and is subject to the Security Policy.
 banner value
 banner value Unauthorized access or use is a violation of company policy and the law.
 banner value
 banner value This system may be monitored for administrative and security reasons.
 banner value
 banner value By proceeding, you acknowledge that you have read and understand this notice and you consent to the system monitoring
 banner value
 wins-server none
 dns-server value 10.10.0.1 10.10.0.2
 vpn-simultaneous-logins 3
 vpn-filter value AC_VPN_FILTER_ACL
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value MYCUST.lgov
 webvpn
  anyconnect ssl dtls none

NoAccess group policy 
group-policy NoAccess internal
group-policy NoAccess attributes
wins-server none
dns-server value 10.65.65.1 10.65.65.2
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
default-domain value WCCC.LGOV
address-pools none
ipv6-address-pools none


Find the CN path of the group in AD
dsquery group -name AnyconnectGroup

Setup the map 
Make sure your test user is a member of AnyconnectGroup
ldap attribute-map WXCC_EXT_LDAP_MAP
map-name  memberOf Group-Policy
  map-value memberOf "CN=AnyconnectGroup,OU=SITE1 Groups,DC=MYCUST,DC=lgov" GP-AC-WX-EXTERNAL
  map-name  msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
  map-value msRADIUSFramedIPAddress "msRADIUSFramedIPAddress" IETF-Radius-Framed-IP-Address (reads the static IP configured in from)

Find the CN path for the ASA user
dsquery user -name asa

Setup aaa servers
Look out for users being inside containers or OU's
aaa-server WXCC_EXT_LDAP protocol ldap
aaa-server WXCC_EXT_LDAP (inside) host 10.10.0.111
 timeout 3
 ldap-base-dn dc=MYCUST, dc=lgov
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password P@55w0rd
 ldap-login-dn CN=ASA,OU=Managed Service Accounts,DC=wxcc,DC=lgov
 server-type microsoft
 ldap-attribute-map WXCC_EXT_LDAP_MAP

aaa-server WXCC_EXT_LDAP (inside) host 10.10.0.112
 timeout 3
 ldap-base-dn dc=MYCUST, dc=lgov
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password P@55w0rd
 ldap-login-dn CN=ASA,OU=Managed Service Accounts,DC=wxcc,DC=lgov
 server-type microsoft
 ldap-attribute-map WXCC_EXT_LDAP_MAP


Testing
Connect the AC client
Check assigned IP
Ping/RDP/HTTPS to the LAN
Is DNS working ? Correct DNS servers set ?
Default domain configured ?
Intranet access
Browse into file shares
Customer test web apps
Test connecting as different users to diff profiles are we blocked from logging in ?

NPS server
conditions
calling from ASA
member of windows group








Posted by at No comments:
Labels: , , , ,

Monday, 14 September 2015

zip up multiple folders or directories into a single file

Say we have some folders

folder1
folder2
folder3

And we want to zip them into a single file old-logs.tar.gz

tar czvf old-logs.tar.gz folder*

Posted by at No comments:
Labels: , , ,

Tuesday, 8 September 2015

nmap

nmap -sP 192.168.1.0 /24 (icmp ping the network see if anyone responds)

nmap -sP -PT80 192.168.1.0 /24 (see if port 80 responds)

nmap -P0 --top-ports 192.168.1.127-254 > file (scan a range top 10 ports only output to file)

nmap -sS 192.168.1.254

-sS (SYN scan)
-sT (TCP connect)
-sU (UDP port scans)

-O (detect OS)
-sV (service version, which version of sendmail is running on port 25)

-P0 (don't ping just scan)

-T (pre set timing options used to avoid IDS/IPS)

-p (choose ports)

-F (fast scan)
-n (dont do revers DNS lookup)
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)